On March 2, 2021, Microsoft Security Response Center released updates related to vulnerabilities affecting on-premises deployments of Microsoft Exchange Server 2013/2016/2019. Microsoft also revealed details around active exploitation of these vulnerabilities using zero-day exploits. The exploited vulnerabilities span several classifications, including server-side request forgery (SSRF), deserialization, and a set of arbitrary file write vulnerabilities; all effecting on-premises Exchange deployments. Each of these vulnerabilities had an assigned CVSS base score of 7.8 or higher, placing their severity ratings within the High and Critical range.
In the exposure of the active exploitation of these vulnerabilities, Microsoft provided attribution details for the activity. Per their research, the activity is associated with a state-sponsored group they have named “HAFNIUM”. This threat group has reportedly been actively targeting various industries within the United States, ranging from law firms to defense contractors. This threat group has historically been associated with exploitation of vulnerabilities in publicly accessible services, and specific targeting of Office 365 environments. HAFNIUM also uses readily available open-source tools for their attacks, including Covenant, Nishang, PowerCat, and other common offensive security tools.
The ReliaQuest Threat Management Team is actively collecting, categorizing, and vetting Indicators of Compromise (IoCs) related to this campaign. Known IoCs are being continuously ingested into the GreyMatter Intel platform for use in investigations by the ReliaQuest SOC and ReliaQuest GreyMatter customers. We have proactively engaged with our customers so they understand the risk that this campaign poses, as well as building of automated retroactive hunts for known indicators of compromise for those affected. The RQ Threat Advisory Report: HAFNIUM/Exchange Zero-Daysoutlines the vulnerability and its exploitation in more detail including IoCs (indicators of compromise) and GreyMatter detection capabilities mapped to MITRE ATT&CK and the Kill Chain.